Verisign Discontinues Flawed MD5 Certificates

Verisign Inc. is getting rid of its MD5 digital certificates a month early after researchers revealed that an exploitable flaw in the algorithm could allow hackers to impersonate a banking or retail Web site and steal customers' financial data.

Mountain View, Calif.-based Verisign, a managed security service provider, said that it has immediately discontinued the flawed MD5 cryptographic function used for digital signatures, while offering a free transition for customers to move to the more secure RapidSSL brand certificates using the SHA-1 algorithm.

"We applaud this team's research and efforts to improve online security as well as their disclosure of the findings for the benefit of the broader Internet community," said Chris Babel, Verisign SVP and general manager. "We take issues like these very seriously and work quickly to remedy vulnerabilities that could potentially affect trust and security online."

Verisign's announcement comes a day after security researchers from the U.S., the Netherlands and Switzerland presented findings for an exploitable vulnerability in the MD5 cryptographic hash function during the 2008 Chaos Communication Congress in Berlin.

During the conference, researchers demonstrated how hackers could launch an attack by successfully duplicating an SSL certificate--indicating a Web site is secure for communication or financial transaction--which was issued by certification authority RapidSSL. Once the SSL signature is duplicated, hackers could then impersonate any Web site on the Internet, such as banking and e-commerce sites, and subsequently trick users into thinking that they were securely submitting sensitive data such as credit card numbers and bank account information over the Internet.

Many Web browsers rely on companies known as certification authorities, or CAs, to issue digital security credentials, or SSL certificates, to identify and authenticate legitimate Web sites. And a few CAs, like RapidSSL, still rely on the MD5 cryptographic function for digital signatures.

Yet the errors detected in MD5 aren't entirely new. Security experts say that weaknesses in MD5 were detected back in 2004, and many CAs have since migrated to the more robust SHA-1 algorithm. But while the MD5 hashing function has over time become obsolete, it is still used by a few CAs and accepted by all Web browsers.

"The infrastructure of certification authorities is meant to prevent exactly this type of attack," the research team said in posted findings. "Our work shows that known weaknesses in the MD5 hash function can be exploited in a realistic attack, due to the fact that even after years of warning about the lack of security of MD5, some root CAs are still using this broken hash function."

Security experts say that the findings aren't necessarily a cause for alarm, but rather indicate a trend of CAs not doing their job.

"The companies that issue certificates under those roots can distinguish themselves in different ways. There are [companies] whose specialty is lowest cost. Strong algorithms may take second place to doing what you've always been doing," said Paul Kocher, president and chief scientist of Cryptography Research, a data security research firm based in San Francisco. "If any CA is doing something that becomes the weakest link, then that is what adversaries are going to exploit."

Verisign said in a statement that it had been phasing out its MD5 hashing algorithm over a period of years, and had intended to eliminate MD5 digital certificates altogether by the end of January 2009.